New research from the international IT organisation ISACA shows that improvements in mobile payment security technology are actually reducing risks and boosting consumer confidence to levels previously only seen with plastic payment cards.
The free “Is Mobile the Winner in Payment Security?” tutorial was published. The question lists a number of benefits of mobile payments over traditional and online purchases. Mobile payments have undergone significant advancements, with tokenization, device-specific cryptograms, and two-factor authentication being cited as the three most important ones.
According to Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, the ISACA Board chair and group director of information security for INTRALOT, “mobile payments, with embedded, improved and transparent security controls, are a great example of how security can act as a business enabler, contributing to the creation of end-user trust.”
The following are a few of the mechanisms enabling improvements in mobile payment technology:
- Tokenization: Secure mobile payment programmes, often known as mobile wallets, send a randomly generated token to the point of sale (POS) terminal and payment network rather than the card’s Primary Account Number (PAN). The data of the customer is protected while in transit by this token. In the ongoing race to keep ahead of hackers and other risks, tokenization is the security solution that is driving mobile payments ahead of card payments in the protection of consumer sensitive financial information, according to the ISACA handbook. The tokens can be set up to only be used for transactions that meet particular requirements for an exact time period, a particular retailer, and a defined dollar amount. Tokens can be securely mapped back to the original payment card data only by the issuing bank and approved organisations.
- Specific cryptograms for each device The cryptogram confirms that the cardholder’s device is where the payment came from. The cryptogram supplied to the POS terminal with the token prevents it from being utilised on another mobile device in the event that a hacker gets their hands on the transaction data for mobile payments. This makes any data that has been stolen unusable.
- Two different processes are used in two-factor authentication to add an extra layer of protection against mobile payment fraud. Common forms of identification include something the person is aware of (like a password), something they physically own (like a phone or a payment card), and a biometric like a fingerprint, voiceprint, or facial recognition.
A mobile device that has a mobile wallet on it can be remotely wiped if it is misplaced. Also, as the consumer’s credit card data is not stored on the mobile device, the existing credit cards do not need to be changed.
In many cases, merchants may gain from mobile payments just like customers can. According to the guidance, “a fundamental benefit for businesses is that increased security should cut fraud and hence lower costs.” Additionally, the report points out that incorporating mobile payments into a merchant’s operations opens the door for more developed customer loyalty programmes and permits transactions even when a consumer does not have access to their physical payment card.
Both the general public and security professionals who believe mobile payments to be unsafe may be surprised by the security benefits of mobile payments. Only 23% of IT and cybersecurity experts stated they thought mobile payments kept personal information safe, according to ISACA’s 2015 Mobile Payment Security Survey. Nonetheless, Ovum predicts that 1.09 billion people will utilise mobile payments globally by 2019, up from 44.55 million in 2014.
Modern mobile payment methods have numerous advantages, but the guidance also mentions some potential vulnerabilities, such as when users register a credit card once for the first time in the mobile wallet application. Providers of mobile wallets may utilise techniques such sending issuing banks information about payment cards and the location of a device, and if there are any differences, a call for further verification may be placed.
In order to guarantee that any potential new scenarios are adequately addressed, the handbook urges businesses who accept mobile payments to periodically review their risk control procedures.
